What You Should Know About Nmap – A Network Mapper

Nmap, or ”Network Mapper”, is an open source license and free utility for the network discovery and also the security auditing. There are plenty of network administrators who find it useful for many tasks such as managing service upgrade schedules, network inventory, monitoring service or host up time and much more. Besides the network administrators, there are also many systems which find this tool very useful. It uses raw IP packets which are in a novel way determined what the hosts have available on the network and which services those hosts are actually offering. That refers to the application name and its version. Besides that, it is easily seen what operating systems are they running (for examples OS versions) and also what type of packet firewalls or filters do they use. That is not all, it can detect the dozens of other characteristics.

What was the purpose of its design? It was made in such a way to produce the rapid scan on the large networks and also to work fine against the single hosts. It is well known that nowadays the Nmap runs on all the major computer operating systems. The official binary packages are available for Windows, Linux, Mac OS X and more.

Its suite includes an advanced GUI and results viewer which is called Zenmap. Besides the Zenmap, it has its flexible data transfer, Ncat-a debugging tool, redirection and the utility for comparing the scan results-Ndiff. And that is not all. It is hard to catch everything that this amazing tool can achieve! It contains a packet generation and the response analysis tool which is called Nping.

Linux Journal, Info World, Codetalker Digest, and LinuxQuestions.org named Nmap a ”Security Product of the Year”! Besides this great honor, it was featured in the twelve movies. Examples of those movies are the ones you’ve heard of-Matrix Reloaded, Girl With the Dragon Tattoo, Die Hard 4 and The Bourne Ultimatum.

This great tool celebrated its 20th birthday on September 1st this year! It has been developing all these years and now is available as Nmap 7.60, 7.50, 6.25, 5.50, 5.00 and 7! The company also improved the Icons of the Web project with a 5-gigapixel interactive collage of the top million sites over the Internet. What a great achievement! Now, the company even has an active Nmap Facebook page and also a Twitter feed. There, they can also augment the mailing lists. We will take you through a whole guide of Nmap tutorial here! All of the Nmap options are awaiting you at the bottom of this article!

So, let’s take a closer look at this great tool’s characteristics in theory! What is Nmap like? First of all, it is very flexible. Supporting the dozens of the advanced techniques for mapping out networks which are filled with the IP filters, routers, firewalls or other obstacles of many various kinds. So, what that includes? It includes a plenty of port scanning mechanisms, which are both TCP & UDP, version detection, ping sweeps, OS detection and so much more.

Besides being flexible, it is not so hard to guess how powerful this tool is! It has been used successfully for scanning huge networks of basically hundreds of thousands of machines. Can you even imagine that?

Nmap is a portable tool. And what does that mean? It explains that most of the operating systems are supported. That includes Linux, Microsoft Windows, OpenBSD, FreeBSD, IRIX, Solaris, Mac OS X, HP-UX, Sun OS, NetBSD, Amiga and the list goes on.

Nmap is not just flexible, powerful and portable tool. It is also an easy tool. While offering a rich set of advanced features for some power users, you can also start out with it as a simple ”Nmap -v- A target-host”. So, both the traditional and the graphical command line (also known as GUI) versions are available to suit your preferences no matter what they are.

There are the binaries, which are available for the people who don’t want to compile the Nmap from a source.

Free. Yes, you have read that right. Nmap is a free tool! That was the primary goal of the company’s project. They wanted to make the Internet a bit secure than it was before. In that case, they also achieved providing the administrators, auditors and also hackers an advanced tool for exploring their networks. It is available for free download and comes with a full source code. That source code you may modify by yourself and redistribute it under the terms of the license.

Nmap is also well documented. The great amount of effort has been put into the comprehensive and up-to-date man pages, tutorials, and white papers, and at the end the whole book! It can be found in the multiple languages.

This tool comes with no warranty, but it is well-supported by a vibrant community of the developers and the users. So, where then most of the interaction occurs? It happens on the Nmap mailing lists. Plenty of bug reports and also the questions have to be sent directly to the Nmap-dev list. But, it has to happen after the user reads the guidelines. This company highly recommends that all the users should subscribe to the low-traffic Nmap-hackers announcement list.

The Nmap is acclaimed. It has won dozens of the awards, as I was talking about that earlier in this article. So, it became popular within the users. Thousands of people around the globe download it every single day! Now it is among the top ten (out of 30, 000! ) programs at the Freshmeat because it is included with so many operating systems. Those are Redhat Linux, Gentoo, FreeBSD, Debian Linux and the others we’ve already mentioned earlier.

This company encourages the users to subscribe to the Nmap-hackers mailing list which has a low volume. They can also subscribe to get the latest news about the most important announcements about Nmap, Incesure.org and some other related projects. There are more than 128, 000 subscribers all over the world already. Why don’t you join?

They have also developed a list for more hardcore members, especially for the programmers, and those who are interested in helping this project by helping with some sort of coding, feature ideas, testing and everything they came up to.

I’ve made you an intro about this amazing tool! We will now take a closer and detailed look at its options! There are so many of it and I will try to make it all clear to you, not missing anything!

Target Specification

This is the first option of this great tool! Everything that can be found on the Nmap command-line that isn’t an actual option or option argument is always treated as the target host specification, specifying a target IP address or its hostname for scanning.

Nmap also supports the CIDR-style addressing when the user wishes to scan a whole network of adjacent hosts. It is also common that Nmap accepts the multiple host specifications which are on the command list, so yes, they don’t even need to be the same type.

Control target selections also include the input from the list. What does that mean?

Input filename is a place from where the Nmap reads the target specifications. It passes a huge list of hosts which are often awkward on the command line. But, it is still a common desire. So, if your DHCP server exports a list of 10, 000 current leases that you wish to scan, you can. Maybe you want to scan all IP addresses except for those with whom you want to locate the hosts which are using the unauthorized static IP addresses. Simply generating the lists of hosts for scanning and passing a filename to Nmap as an argument to the -iL option (input filename).

Num hosts. Also called as-choose random targets. Sometimes, you may want to choose a random target. This is useful especially for the Internet-wide surveys and many other researchers. So, here the <num hosts> arguments tell the Nmap how many IPs are there to generate. There are the IPs which are in certain private, unallocated address ranges or those that are multicast. Those are undesirable IPs. These are automatically skipped with Nmap.

Exclude. Excluding the hosts or networks. Nmap tool is specifying a comma-separated list of the targets which need to be excluded from the scan. That happens even if they are apart of the overall network range which you may specify. A normal Nmap syntax includes hostnames, CIDR netblocks, octet ranges and much more. This can be also very useful when the network you want to scan is including some untouchable mission-critical servers or systems which are well-known to react adversely to port-scans. They can react the same on subnets which are administrated by the other people.

Exclude the list from a file. What does this option offer? It offers actually the same functionality as the previous ones-exclude. But, there are some differences. The excluded targets are provided in a newline-, space- or even tab delimited. They are in that way rather than in the command line. Besides that, the exclude file might also contain some comments which often start with # and extend to be at the end of the line.

Host Discovery

There are one of the very first steps which are used in any networks reassurance mission and for reducing a set of IP ranges into a list of active or interesting hosts. You probably heard by now that scanning every single port of every IP address is so slow and most of the times not even necessary. There are the network administrators which can be only interested in hosts running some certain device. At that time, the securing auditors may take care about every single device that occurs with the IP address.

All in all, the host discovery needs are so diverse. In that case, Nmap offered a wide variety of numerous options for customizing the techniques which are used. Ping scan, or host discovery, goes well beyond the simple ICMP echo request packets which are associated with the ubiquitous ping tool. So, what does the Nmap offers? It offers the users to skip the entire ping step with a list scan or even by disabling a spin itself. Let’s take a closer look at it!

List scan. This is a degenerate form of host discovery which simply lists each host of the network specified and without even sending any packets to the targeted hosts. Although, the Nmap still does reverse. That is called the DNS resolution on the hosts which need to learn their names. At the end, it reports the total number of the IP addresses.

No port scan. This is an option of Nmap which tells not to do any port scan after the host discovery. It only acquires printing out the available hosts which actually responded to the host discovery probes.

No ping. This is a great option which skips whole Nmap’s discovery together. Although, Nmap continues with performing the requested functions as if each target is IP active.

No DNS resolution. Telling Nmap to never do a reverse DNS resolution on the target’s IP address. DNS is commonly only performed against the responsive and online hosts.

Port Scanning Basics

The core fiction of Nmap is definitely port scanning. The company has grown its functionality over the years! Let us explain it on the example. Nmap target scans 1, 000 TCP, a simple command, ports on the host target. Nmap is much more granular than so many other traditional port scanners which just lump all ports into the open or even closed state. So, by being granular Nmap divides the ports into the six states. Those are:

1.Open. Here, the application actively accepts the TCP connection, SCTP associations or UDP datagrams on this port. The primary goal of the scanning is to find these. Nowadays, the people which are security-minded know how each open port can be an avenue for the attack. They want to exploit those open ports, while the administrators are trying to protect or even close them with their firewalls without thwarting the legitimate users.

2.Closed. This port is accessible, although there is no application listening on it. The closed ones can be quite helpful while showing that a host is up on the IP address. Also, he/she can be a part of OS detection. There are some administrators which prefer blocking these ports with a firewall.

3.Filtered. It is the truth that Nmap cannot determine whether the port is open or not. It happens because the packet filtering prevents its probes from reaching the port. But, here we have a filtered port! It can frustrate the attackers because such ports provide so little information.

4.Unfiltered. This state means that a port is accessible.

5.Open and filtered. When does the Nmap place the ports in this way? It puts the ports in this state when it is unable to determine whether a port is open or filtered. It can occur for some scan types in which open ports give no response.

6.Closed and filtered. Nmap uses this state when it can unable to determine whether a port is closed or it is filtered. It is a good thing to mention that this state is only used for the IP ID idle scan.

Port Scanning Techniques

Nowadays, it is well-known how the experts understand plenty of different scan techniques and in that way, they choose the appropriate one for a task that is given. Often, they use a combination of those techniques for a better result. Of course, not all of the user are experts, and there are so many inexperienced people on the web, who most of the time try to solve the problem by the default SYN scan. So, because we have said how this great Nmap tool is free, what is then the only barrier? The only barrier to port scanning is the knowledge. That would definitely be the conclusion.

Let’s take a closer look at the types of the scan!

TCP SYN scan. This scan is the most popular and often a default one. It has popular scan options for great reasons. Performing its actions quickly and scanning a thousand of ports per even a second. It can work against any compliant CTP stack rather than to depend on idiosyncrasies of some specific platform.

TCP connect scan. This one is a default when the previous one is not an option. It may happen when the user does not have the raw package privileges.

UDP scans. These services are widely deployed and are the three most common ones used.

IP protocol scan. It allows you to determine which IP protocols (they may be TCP, ICMP, IGMP etc) are actually supported by the target machines. Actually, this isn’t a port scan. Well, technically. It cycles through IP protocol numbers rather than through the TCP or UDP port numbers. Besides being useful for scanning, it can also demonstrate the power of the open-source software.

FTP bounce scan. This one supports proxy FTP connections. And what does that mean? It allows the users to connect to one FTP server and to ask for the files to be sent to a third-party server. But don’t worry, the Nmap will tell you if the host is vulnerable or not.

Port Specification and Scan Orders

Nmap is such a tool which always offers so many options for specifying which ports are actually scanned and whether the scan order is randomized or a sequential. Nmap by its default scans the most common 1, 000 ports for every single protocol. Let’s take a closer look what does that actually means and how it looks!

-port. Port ranges. This means only specified ports. The option which specifies the ports you want to scan. It also overrides the default.

The ports can also be scanned and specified by the name which is according to the port which is actually referred to in the Nmap-services. It is also allowed for you to use the * and ? with the names. So let’s take a look how it can be represented in the example.

If you want to scan an FTP and all of the ports which name begins with the ”HTTP”, you need to use -p. You also need to be very careful about the shell expansions and to quote the argument to -p if you are unsure about it.

There are the ranges of ports which can be surrounded by the square brackets to indicate ports which are inside that range who appear in Nmap-services.

Excluding the specified ports from scanning. What does this option mean? It specifies which are the ports you want the Nmap to exclude from the scanning. When you ask for some port to be excluded, it will be excluded from all the scanning. You need to remember that.

Don’t randomize ports. Nmap by its default randomizes the scanned port order. It does it for all, except some certainly common accessible ports which are moved near the beginning for some efficiency reasons. It is normally desirable, but you can always specify the -r for some sequential port scanning instead. That means sorted from lowest to highest.

Service and Version Detection

A pointed Nmap at a remote machine might tell you that ports 25/tpc or 80/tpc or even 53/tpc are actually opened. So the conclusion is that if you use the Nmap-services you will have about 2, 200 well-known databases. In that case, the Nmap would report you that those have probably been corresponding with a mail server, such as SMTP. They may also correspond to the web server-HTTP or even to name the server respectively-DNS.

It is really important to remember that when you are doing the vulnerability assessments (it also refers to even simple network inventories), of your company or just clients, you must know which email and DNS servers versions are really running. If you have the accurate version number it will help you to dramatically determinate which exploits a server is actually vulnerable to. What helps you to obtain this information then? The version detection. Remember that very well.

Once when the TCP or UDP ports are discovered with using one of the recommended methods, the version detection then interrogates such ports to determine more about what is actually and truly running. So the Nmap service probes databases contain such probes for querying so much various services and match its expressions for recognizing and parsing the right response.

What does the Nmap try to do here? It tries to determine the service protocol. hostname, the version number, the device type and the OS family and so much more. What a powerful tool, right?

There are the following options for a version detection which can be enabled and controlled. First of all, we have -sv. It is also known as version detection. As we already mentioned, this option enables the version detection. The second one is –allports. It actually means-don’t exclude any ports from version detection. All you need to do here is to modify or to remove the Exclude directive which is in Nmap-service-probes. Besides that, you can specify –allports to scan all of the ports regardless to any Exclude directive.

Set version scan intensity. Also known as –version-intensity. Here, the Nmap sends a varies of probes. Each of those probes is assigned a rarity value between the one and nine. So, the lower numbers are effective against the wide variety of common service. The higher numbers are actually rarely useful.

OS Detection

Let us introduce you with the one of the Nmap’s best-known feature! It is a remote OS detection which uses TCP/IP stack fingerprinting. Here, the Nmap sends some series of TCP and UDP packets straight to the remote host. After that, it examines practically every each bit in the responses that arrive. After the performance of the dozens of test such as TCP INS samples, options supports, and ordering, IP ID sampling, then the Nmap compares those results to its Nmap-os-DB database which has more than 2, 600 known OS fingerprints and those prints out of the OS details if there is a match. So, here, the each of the fingerprints includes a free room textual description of the OS and its classification. That classification provides the vendor name, which can be for example Sun. It may also arrive as the underlying OS (Solaris) or OS generation (10).

Sometimes it happens that the Nmap is somehow unable to guess the OS of the machine and then it provides the URL which you can submit the fingerprint which you know. You need to know which OS is actually running on the machine.

There are some options which the OS enables. Those are:

-o. This means enabling the OS detection. We discussed it above, so it is clear.

–osscan-limit. This option limits the OS detection for some promising targets. In this case, it is important to find at least one opened and one closed TCP port.

The third option is often called guessing. When there is a situation in which Nmap cannot detect the perfect match for the OS, it usually offers those matches which are up-near it. In that case, it matches its possibilities. Don’t worry because Nmap will tell you when an imperfect match is printed and it will display its confidence level always. It will show you the percentage of the guessing. It will do the same for every match.

–max-os-tries. This option is actually a way to set the maximum number of OS detection tries against some target. Imagine a situation where the Nmap performs OS detection against a target. Let’s say it fails to find its perfect match. When that happens, the Nmap will repeat the attempt until it finds the perfect match.

Nmap Scripting Engine

Also known as NSE. One of the most powerful Nmap’s features. This feature is also very flexible. What does it do for the users? It allows them to write and to share some simple scripts for automating a wide variety of the network tasks. It can be achieved using the Lua programming language. Those simple scripts are often executed in parallel with the speed and the efficiency you are going to expect from the Nmap. Users may calmly rely on the growing and diverse set of scripts which are distributed with the Nmap. They can also write their own if they want to meet some of their’s custom needs.

Once when the directory name is given, the Nmap always loads each of the files in that directory whose name often ends with the .nse. All of the other files are usually just ignored. The directories are also not researched recursively.

It may happen that the file name is given, and it may not have the .nse extension. In that case, if it is necessary, Nmap will automatically add it.

Where are the Nmap scripts stored? They are stored in the scripts subdirectory of the actual Nmap data directory by default. For better use, those scripts are indexed in a database which is stored in scripts/script.db. That lists the categories in which each of the scripts belongs.

Let’s take a closer look at the options here!

–scripts-args. This option provides you the arguments to NSE scripts. They are always a comma-separated list of actual name=value pairs. Those might be the strings which don’t contain whitespace or some particular characters.

–scripts-args-file. It is also known as a filename option. It let you load the arguments to NSE scripts from a file you want or need. It can be an absolute path which is often relative to Nmap’s usual search path, also known as NMAPDIR.

–scripts-help. This option will show you the help if needed about the scripts. Here, the Nmap prints the scripts name, its description and also the category where it belongs.

–script-trace. Here, a displayed information always carries the communication protocol, the target and the source of the transmitted data.

Timing and Performance

Did you know that one of the highest development priorities for the Nmap was always the best performance? It is not such a hard guess, right? A default scan by the Nmap of a host on any of your local network takes actually as much time as the blink of an eye. It is hard to imagine, but yes, this company achieved such a success!

Besides that, the user always has ultimate control of the Nmap’s running, so it is up to about the speed. It is well known how the experts’ users behave with the Nmap command. They obtain only the information for which they really care about. In that case, they are meeting their time constraints.

There are some techniques for improving the scan time. Those include omitting the non-critical tests and also upgrading to the latest version of Nmap. There is one more thing which can make a substantial difference, and that is the optimization of the timing parameters.

There are also some options which accept the time parameters and this can be specified in a second, and by a default. Also, the value can be specified for milliseconds, seconds, minutes or even hours. Depending on the user’s needs.

One of the greatest ability of the Nmap, besides everything we talked about, it definitely that it can port a scan or even a version scan for multiple hosts in the parallel. It does it by dividing the target IP space into the groups and after that, it scans one group at a time.

Firewalls/IDS Evasion and Spoofing

There are so many internet pioneers out there who envision a global open network with a universal IP address space. Those follow some virtual connections between any two nodes. It may allow the host to act in a way as true peers. Then they are serving and retrieving the information from each other.

It is the truth that the network obstructions (for example-firewalls) may make mapping a network exceedingly difficult. But the Nmap has a solution here. It offers many features which help to understand some complex networks and it also makes a huge difference when it comes to verifying those filters are working as it was intended.

So many companies are increasingly monitoring the traffic in addition to restrict network activity. They achieved it with the intrusion systems, such as IDS. The IDSs ships have some rules which are designed to detect the Nmap scans. They usually do it because some scans are often a precursor to the attack.

It happened that people suggested that Nmap shouldn’t offer the features for evading firewall rules or even sneaking past IDSs. They think that those features are just likely to be misused by the attackers, as they can be used the same for the administrators who enhance their security.

But, the Nmap company replied that there is no magic bullet for detecting and subverting firewalls and IDS systems. But there are so many options which can reduce such problems. Those are the fragment packets, cloak a scan with decoys, spoof source address, use specified interface, spoof source port number and much more…

Such a powerful tool wouldn’t allow itself for such things to happen, remember that.


As someone who is into the tech world, you must definitely know how a security tool is as useful as the output it actually generates. What is of great value here? It is all about the complex tests and algorithms, which are not of a great value if they are not really representative in an organized comprehensible fashion. It is well known that the Nmap is used by people and the other software, but of course, no single format could please everyone.

In that case, Nmap came to the idea to offer several formats. Those include the interactive mode for people to read directly. It also offers the XML for easy parsing by software.

So, it provides the options for controlling the verbosity of the output as well as debugging the messages. Such types can be sent to standard output or to some named files. Nmap may attend to append them or to clobber.The output files can be also useful for resuming the aborted scans.

There are the five Nmap output formats. Those are:

-oN. This is a normal output.

-oX. XML output. It requests that the XML output needs to be directed to the given filename.

-oS. This one is also known as a script kiddie. It is like an interactive output.

-oG. Grepable output. Its format is covered last because it is actually deprecated. It is still quite popular because it is a simple format which lists each host on the one line.

-oA. This is an output to all formats.


Miscellaneous Options

These options don’t fit anywhere else, so we will take a closer look at them here.

First one, -6. It is enabling IPv6 scanning. It means that Nmap has this support for all of its important features. Those may be port scanning, ping scanning, version detection, the Nmap Scripting Engine and so on. They all support the IPv6.

It is mostly used and is significant in some Asian countries. Also, the most modern systems support it.

Aggressive scan options. Also known as -A. Enabling the additional advanced and many aggressive options. It enables the OS detection and a version scanning, traceroute and script scanning etc. It is believed that more features will be added to this option in the future.

Specify custom services file. This option is asking the Nmap to use some specified services against using the Nmap-services data file which often comes with Nmap. It causes a fast scan.

Send at raw IP level. Here, the Nmap is asked to send the packets through the raw IP sockets rather than by sending the lower level ethernet frames.

Print help summary page. An option which prints a short help summary screen. That screen has most common command flags. So, here the Nmap does the same thing.

Runtime Interaction

All of the key presses are captured when the execution of the Nmap is happening. That may allow the user to interact with a program without even aborting or restarting it. Here you can increase or decrease the verbosity level, the debugging level, to turn on or to turn off the packet tracing and to print the runtime interaction screen.

All in all, that is what you need to know about this great tool! Hope that you have learned a lot and that we informed you very well. Keep on reading about the information and the news that Nmap brings because they never stop with improving themselves! Let’s have a detailed look as I’ve promised at all of the options!

Let’s start with the target specifications.

Nmap scans a single IP. Nmap 192. 168.2.1 scans a specific IPs.

Nmap scans a range. Nmap scanme.nmap.org scans a domain.

Nmap scans using a CIDR notation.

-iL Nmap targets.txt scans the targets from the file.

-iR Nmap 100 scans the 100 random hosts.

–exclude Nmap excludes the listed hosts.

Now, we will see the scan techniques.

-sS Nmap is a default TCP SYN port scan option.

-sT Nmap is a default TCP connection port scan but without a root privilege.

-sU Nmap is a UDP port scan.

-sW Nmap is a Window’s TCP port scan.

-sM Nmap is a Maimon’s TCP port scan.

After the scan techniques, we will take a closer look at the host discovery.

-sL Nmap means that there is actually no scan, just listed targets only.

-sn Nmap is a disabled port scanning and for host delivery only.

-Pn Nmap disables the host discovery and allows post-scan only.

-PS Nmap 222-25,80 is a TCP SYN discovery on port x. The default is the port 80.

-PU Nmap 53 is a UDP discovery on the port x. The default is the port 40125.

-PR Nmap means the ARP discovery which is based on the local network.

-n Nmap stands for the action where the DNS resolution is never done.

We came to the port’s specification.

-p Nmap 21 is a port’s scan for the port x.

-p Nmap 21-100 is a port’s range.

-p Nmap U:53, T:21-25,80. Multiple ports scanning (TCP and UDP).

-p- Nmap HTTP, https describes the port’s scan from the service name.

-F Nmap is a fast port’s scan.

–top-ports Nmap -ports 2000 means that the port’s scan is the top x port.

-p-65535 Nmap -65535 is leaving off the end port in the range which makes the scan go through to the port 65535.

-p0- Nmap is leaving off the end port in such a range that makes the scan go through to the port 65535.

Service and the version detection:

-sV Nmap means the attention for determinating the version of the service which is running on the port.

-sV – version intensity Nmap– version-intensity 8 is the intensity level from 0 to 9.

-sV – version light Nmap– version-light enables the light mode. It is faster but has the lower possibility of correctness.

-sV – version-all Nmap–version-all is enabling the intensity of level 9. It is slower but has the higher possibilities of correctness.

-A Nmap is enabling the OS detection, the version detection and also scripting and scanning.

Now, we came to the OS detection examples.

-O Nmap is remoting the OS detection by using TCP/IP stack fingerprinting.

-O –osscan –limit Nmap—osscan-limit will not try to do the OS detection against the host if there is not at least one open or closed TCP port found.

-O—osscan-guess Nmap—osscan-guess is making the Nmap guess more aggressively.

-O—max-os-tries Nmap—max-os-tries 1 is the set maximum number x of the OS detection which tries against the target.

-A Nmap is enabling the OS detection, traceroute, the version detection and the scanning.

It is time to examine the timing and performance examples. Let’s take a closer look together!

-T0 Nmap is actually a paranoid intrusion system detection for evasion.

-T1 Nmap is a sneaky intrusion system detection.

-T2 Nmap politely slows down the scan. It does for the ability to use less bandwidth and less target machine resources.

-T3 Nmap is a normal one, default speed scan.

-T4 Nmap is the aggressive speed scan.

-T5 Nmap 192.168 1.1 is even higher speed, called the insane speed scan.

–host-timeout<time> 1s; 4m; 2h gives up on target after this amount of time.

–min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout<time> 1s; 4m; 2h is specifying the probe round trip time.

–min-hostgroup/max-hostgroup<size<size> 50; 1024 is a parallel host scan group size.

–min-parallelism/max-scan-delay<time> 10; 1 is a probe parallelization.

–scan-delay/–max-scan-delay<time> 20ms; 2s; 4m; 5h which is adjusted delay between the probes.

–max-retries<tries> 3 is specifying the maximum number of the port scan probe retransmissions.

–min-rate<number> 100 sends the packets which are not slower than <numberr> per second.

–max-rate <number> 100 is sending the packets but no faster than <number> per seconds.

NSE scripts examples:

-sC Nmap is the scan with the default NSE scripts. This option is considered very useful and also safe.

–script default Nmap default is actually the default with the NSE scripts. Also considered useful and safe, as the previous one.

–script Nmap =http* scans with a wildcard. The example is actually the http.

–script Nmap =http, the banner is a scan which consists the two scripts. Examples here are the https and the banner.

–script-args Nmap ”not intrusive” is the default scan, but it removes the intrusive scripts.

–script—args Nmap SNMP-sysdescr—script-args snmpcommunity=admin is actually an NSE script with the real arguments.

There are also some more NSE script examples which are very useful. Those are:

The first command is Nmap –Pn –script=http-sitemap-generator scanme.nmap.org. It is actually a HTTP sitemap generator.

Nmap –n –Pn –p 80 –open –sV –vvv –script banner, http-title –iR 1000 is the fast research which is used for some random servers.

Nmap –Pn –script=dns-brute domain.com is the command where the brute forces DNS hostnames which are guessing the subdomains.

Nmap –n –Pn –vv –O –sV –script smb- enum*, smb-ls, smb-mbenum, smb-os-discovery, smb-s*, smb-vuln*, smbv2* -vv is the safe SMB script for running.

Nmap –script whois* domain.com is whois query one.

Nmap –p80 –script http-unsafe-output-escaping scanme.nmap.org is the detection which is used for the cross-site scripting vulnerabilities.

Nmap –p80 –script http-sql-injection scanme.nmap.org is the great check for the SQL injections.

Firewall and IDS evasion and spoofing:

-f Nmap is requesting a scan and also including the ping scans which use tiny fragment IP packets. It is much harder for packet filters.

–mtu Nmap 32 provides you setting your own offset size.

-D Nmap,,, is the option which sends scans from the spoofed IPs.

-D Nmap decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip is actually the example explained the above.

-S Nmap scans the Facebook from the Microsoft where the –e eth0 –Pn can be required.

-g Nmap 53 uses the given source for the port number.

–proxies Nmap, http//, are the relay connections through the HTTP/SOCKS4 proxies.

–data-length Nmap 200 just appends some random data to some sent packets.

There are also some examples of IDS evasion command, for example:

Nmap –f –t 0 –n –Pn –data-length 200 –D :,,, and


-oN Nmap normal.file, which represents the normal output to the normal.file.

-oX Nmap XML.file is actually a XML output to the XML.file.

-oG Nmap grep.file is the greppable output for the grep.file.

-oA Nmap results which represent the output in the three major formats and all that at once.

-oG- Nmap is a greppable output to the screen where are –oN-, -oX and –also usable.

–append-output Nmap –oN file.file  is the option which appends the scan to the previous scan file.

-v Nmap increases the verbosity level and it uses –vv or more for even better effect.

-d Nmap is increasing the debugging level and it uses –dd or more for much greater effect.

–reason Nmap is displaying the reason why some port is in the particular state (opened or closed).

–open Nmap show the open ports or those that are possible to be opened.

–packet-trace Nmap –T4 which shows all the packets which are sent and also received.

–iflist Nmap is showing the host’s interfaces and the routes.

–resume Nmap.results.file is resuming a scan.

There are also some other helpful Nmap output commands, and those are:

Nmap –p80 –sV –oG – –open grep open which is the scan for the web servers. It agrees to show which IPs are running the web servers.

Nmap –iR 10 –n –oX out.xml grep ”Nmap” cut –d ” ” –f5 > live.hosts.txt is generating the list of the IPs of the live hosts.

Nmap –iR 10 –n –oX out2.xml grep ”Nmap” cut –d ” ” –f5 >> live.hosts.txt is appending the IP to the list of the live hosts.

Ndiff scanl.XML scan2.XML compares the output from the Nmap by using the ndif.

Xsltproc nmap.XML –o nmap.html is converting the Nmap XML files to the HTML files.

Grep ”open” results.Nmap sed –r ‘s/+/ /g’ sort uniq -c sort –rn less. This option reverses the sorted list of how often the ports turn up.

Miscellaneous options:

-6 Nmap 2607:f0d0:1002:51::4 is enabling the IPv6 scanning.

-h Nmap is actually the Nmap help screen.

What are the other useful Nmap commands?

Nmap –iR 10 –PS22-25,80,113,1050,35000 –v –sn is the discovery which happens only on the port x and has no port scan.

Nmap –sn –vv is the arp discovery which happens only on the local network and also doesn’t have the port scan.

Nmap –iR 10 –sn –traceroute is tracerouting the random targets and also doesn’t have the port scan like the two previous ones.

Nmap –sL –dns-server is querying the internal DNS for the hosts. It only lists the targets.

Hope that you have learned a lot! Stay informed!